Email Bombing and Fake Support Calls: How the Scam Works and What to Do
Oct 20, 2025 Alex Davis Cybersecurity | Email Security 4 min read



Email bombing is a common social engineering attack where criminals first overwhelm a victim’s inbox with spam and then follow up with a fake support call. Attackers use the chaos to pressure victims into installing remote access tools or revealing credentials. The result can be data theft, ransomware, fraudulent invoices, and long recovery processes. This guide shows how the scam works, how to spot it, and exactly what to do if you or your organization are targeted.
How the Attack Works
Step 1: Email Bombing to Create Chaos
Attackers trigger hundreds or thousands of emails to flood a victim’s inbox. They use techniques such as fake newsletter sign-ups, automated form submissions, or hijacked third-party lists. The inbox fills with messages that look legitimate or urgent, creating stress and distraction.
Step 2: A Follow-Up Fake Support Call
While the recipient is distracted, someone calls or messages pretending to be IT support. The caller claims they can stop the flood and secure the account immediately. They may spoof caller ID or appear as a familiar internal contact.
Step 3: Social Engineering for Access
The fake technician asks the victim to install remote access software, run commands, or provide one-time verification codes. Once installed or provided, the attacker has direct control of the device and can move laterally in the environment, steal credentials, or deploy malware.
Variations and Related Tactics
Attackers may send follow-up phishing emails with malicious links, request invoice payments to fraudulent accounts, or pressure victims to disable MFA protections by asking for verification codes.
How to Recognize the Scam
-
A sudden flood of email that starts from multiple legitimate-looking senders
-
An unsolicited call or message claiming to be IT support and offering immediate remediation
-
A sense of urgency and pressure to install software or share codes right away
-
Caller ID that seems plausible but is not verified through internal channels
-
Requests to approve remote access tools such as AnyDesk, TeamViewer, or to run administrative commands
If you feel pressured, pause. Pressure and urgency are core tactics used to short-circuit rational decision making.
Immediate Actions for Individuals
-
Do not grant remote access. Politely refuse and hang up if a caller pressures you.
-
Do not install software or run commands prompted by unsolicited contacts.
-
Block the sender and mark the messages as junk or phishing in your mail client.
-
Report the incident to your internal IT or security team immediately. If you do not have internal IT, contact your email provider or managed service provider.
-
If you suspect you shared credentials or codes, change your passwords from a different device and enable multi-factor authentication if not already enabled.
-
Document the incident: save inbound messages, record caller ID, note timestamps, and preserve any files accidentally downloaded for investigation.
What Your IT or Security Team Should Do
Contain and Triage
-
Temporarily disable affected account logins or force password resets for impacted users.
-
Apply temporary rate limits and blocking on inbound mail to the affected accounts.
-
Isolate any devices that were given remote access or show signs of compromise.
Investigate and Collect Evidence
-
Collect email headers and logs to trace the source of the flood.
-
Pull endpoint telemetry from EDR to identify suspicious processes or remote access client installations.
-
Check authentication logs for unusual sign-in activity and MFA approval events.
Remediate and Recover
-
Revoke active sessions and reset credentials for impacted accounts.
-
Remove unauthorized remote access software and run full endpoint scans.
-
Roll out targeted phishing simulations and user awareness reminders to reinforce policy.
Strengthen Defenses Post-Incident
-
Tune spam filters, implement or refine rate limiting, and block known abusive IP ranges.
-
Review and enforce remote access policy requiring prior approval and managed remote support tools only.
-
Ensure logging and alerting for anomalous MFA or account activity.
Preventive Measures for Organizations
Email Controls and Authentication
-
Implement SPF, DKIM, and DMARC to reduce spoofing and improve filtering.
-
Use mailbox rate limiting and reputation-based blocking to prevent mass email delivery to internal users.
-
Configure advanced anti-phishing tools and attachment sandboxing.
Identity and Access Controls
-
Enforce multi-factor authentication for all accounts, and educate staff never to share one-time codes.
-
Use privileged access management for any support or admin activities.
-
Adopt an allowlist for remote management software and enforce installations via trusted channels only.
Policies and Training
-
Maintain a clear policy that internal IT will never request remote access without prearranged verification.
-
Train staff to verify support requests through a secondary channel, such as a known internal phone number or a ticketing system.
-
Run regular phishing simulations and tabletop exercises that include multi-channel social engineering.
Reporting the Attack
If you are in the United States you can report the attack to the Federal Trade Commission at reportfraud.ftc.gov and to the FBI Internet Crime Complaint Center at www.ic3.gov. For identity compromise, visit IdentityTheft.gov for recovery actions. Local law enforcement may also be able to assist depending on the severity.
Final Advice
Email bombing followed by a fake support call is a cheap and effective social engineering tactic because it relies on human stress and urgency. The best defense is preparation: enforce strong email and identity controls, maintain strict remote access policies, and train employees to verify all support requests. If you are unsure about any call or message, do not engage. Report it and let security professionals investigate.
FAQ
What is email bombing?
Email bombing floods a target inbox with a large volume of messages to overwhelm the user. Attackers use it to create distraction and urgency for follow-up social engineering.
Why do attackers follow email bombing with a phone call?
The phone call exploits the victim’s stress and distraction, increasing the chance the victim will follow instructions and grant remote access or reveal codes.
If I installed remote software during an attack what should I do?
Disconnect the device from the network immediately, report to IT or security, and do not log into sensitive accounts until the device is verified clean. Expect to reset credentials and run forensic scans.
How can I verify a legitimate IT support call?
Verify through an independent channel such as your company’s official helpdesk number or ticketing portal. Do not rely on caller ID alone.
Can technical controls stop an email bomb?
Controls like SPF DKIM DMARC, rate limiting, spam filtering, and reputation blocking help reduce impact. They do not replace user awareness and incident response plans.
Should I report the scam even if no data was stolen?
Yes. Reporting helps authorities track trends and can assist in recovery and mitigation measures across organizations.
Subscribe To
Sourcepass Insights
Sourcepass Insights
Stay in the loop and never miss out on the latest updates by subscribing to our newsletter today!